Companies need to ensure security over sensitive data to work with the Department of Defense (DoD) as a contractor or vendor. A critical requirement for DoD contract procurement is Cybersecurity Model Maturity Certification (CMMC). So, who needs CMMC certification? Does your company need it? And, if so, what CMMC level do you need?
CMMC Certification 101: Essentials for All DoD Contractors
The companies best positioned to work well with the DoD are those in preferred contractor status. If you hope to reap the benefits of being a preferred defense contractor, ask yourself:
- Do I need to achieve CMMC certification? And, if so, then why do I need it?
- What CMMC level do I need for certification, and what does each level require?
We’ll take a deep dive into both of these questions below, then also address how you can achieve CMMC certification, up to any level, by working with a CMMC compliance partner.
Who Needs CMMC Certification? Why? Understanding the DIB
If you’re in the Defense Industrial Base (DIB) sector, you most likely need CMMC certification.
The vendors, suppliers, contractors, and other companies that work with the DOD as strategic partners collectively make up the DIB sector. The Cybersecurity and Infrastructure Security Agency (CISA) has identified the DIB as one of 16 Critical Infrastructure Sectors, meaning that any compromises to DIB security could potentially harm the entire US economy and population.
Not every single DIB stakeholder necessarily needs CMMC certification, but most do. CISA estimates that the DIB includes over 100,000 companies, accounting for every contract between branches of the US military and private entities. Thus, for those seeking the longest, most dependable, and most lucrative relationships with DoD entities, CMMC certification should be regarded as a necessity.
Moving from NIST SP 800-171 Compliance to CMMC Certification
Another reliable indicator of whether or not your company will need to achieve CMMC certification is NIST SP 800-171 compliance. If NIST SP 800-171 has served as a required framework for your company’s ability to procure contracts since 2017, you should expect CMMC certification to be mandatory.
The National Institute of Standards and Technology (NIST) defines protocols for cybersecurity across many governmental and state-adjacent agencies. One Special Publication (SP), number 800-171, applies specifically to the same DIB entities that now require CMMC certification. It’s titled Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations and is currently in Revision 2 (February 2020).
SP 800-171 lays out protections that the CMMC framework draws from, builds upon, and ultimately supersedes in terms of control complexity. The core of SP 800-171 comprises 110 Requirements, spread across 14 Families. These inform the CMMC’s Domains. Therefore, complying with SP 800-171 facilitates CMMC certification.
Understanding DFARS Requirements and CMMC Enforcement
The Defense Federal Acquisition Regulation Supplement (DFARS) formally requires NIST and CMMC compliance from DIB sector businesses. In particular, Clause 204.7304 specifies that later clauses apply to all solicitation provisions and contracts between the DoD and third parties:
- Clause 252.204-7012 specifies requirements for safeguarding Covered Defense Information (CDI) and protocols for reporting cyber incidents for DoD contractors.
- Clauses 252.204-7019 and 252.204-7020 require implementation and assessment of NIST SP 800-171, along with notification to parties who need to be NIST compliant.
- Clause 252.204.7021 requires CMMC current certification up to the appropriate level, embedded in contracts with third parties prior to exchanging of goods or services.
The only exceptions to these rules are solicitations and contractual engagements involving exclusively “commercial off the shelf” (COTS) products—typically purchased through a third-party vendor. All other business with DoD entities requires NIST and CMMC compliance.
What Are CMMC Levels, and What CMMC Level Do I Need?
The particular level of CMMC certification your company needs to achieve will depend on your contract with the DoD entity with which you plan to work. The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) has not determined a specific rubric to determine which contracts will carry which levels. However, the OUSD(A&S) FAQ indicates that the DoD will specify as much in future Requests for Information (RFIs) or Proposals (RFPs).
Companies can determine which CMMC level they are likely to require based on the information pertinent to their roles in the DIB. The CMMC primarily concerns two forms of data:
- FCI – Federal Contract Information, which is generated by or for governmental agencies and not intended for public release. Companies controlling FCI will often need Level 1.
- CUI – Controlled Unclassified Information, which includes information designated as sensitive but not formally classified under an executive order or other act. Companies controlling CUI will generally need to have Level 3 CMMC Certification or higher.
In the CMMC Framework, Levels 1 and 2 function as intermediary, preparatory Levels leading up to full CUI protection at Level 3. Beyond that, the higher Levels require continuously optimizing controls.
Focuses and Information Security at Each CMMC Maturity Level
The primary aim of each CMMC Level is laid out in section 2.3.2 of the CMMC, currently in version 1.02 (March 2020). The Levels’ respective Focuses and corresponding data sets are:
- Level 1 Focus – Safeguarding all FCI, including data on, of, or pertaining to all current, past, and future contracts with DoD and other, non-military federal offices or agencies.
- Level 2 Focus – Transitioning toward more robust protections of FCI alongside other forms of Covered Defense Information (CDI), all of which must be fully accounted for at Level 3.
- Level 3 Focus – Fully protecting all forms of CDI, per DFARS regulations, especially CUI such as technical and military intelligence and repair and maintenance guides.
- Levels 4-5 Focus – Strengthening safeguards for CUI and developing protections against Advanced Persistent Threats (APTs) from the most complex attack vectors.
Levels 1 and 3 are the significant thresholds in terms of requirements, as many DIB entities will need Level 1 or Level 3 certification by 2025 or earlier. Levels 4 and 5 won’t be required until later.
Framework Integration Thresholds at Each CMMC Maturity Level
Each level also ensures Practice implementation and Process institutionalization. The latter is a measure of how seamlessly Practices are integrated across the company. The thresholds are:
- Level 1 Maturity – The first 17 security Practices introduced at Level 1 comprise “basic cyber hygiene,” establishing a foundation for later levels. While level 1 Process Maturity requires all security Practice requirements to be “Performed,” it is not formally assessed.
- Level 2 Maturity – The 55 security Practices added at Level 2 comprise “intermediate cyber hygiene.” Level 2 Process Maturity requires all safeguards to be “Documented” formally with a specific policy establishing controls to achieve the Domain requirements.
- Level 3 Maturity – The 58 security Practices added at Level 3 comprise “good cyber hygiene.” Level 3 Process Maturity requires safeguards to be “Managed” and fully integrated throughout the company, with formalized resource plans for each Domain.
- Level 4 Maturity – The 25 security Practices added at Level 4 comprise “proactive” measures beyond “hygiene.” Level 4 Process Maturity requires all safeguards to be “Reviewed” with corrective actions taken when necessary for recurring threats or risks.
- Level 5 Maturity – The final 15 security Practices added at Level 5 comprise both proactive and “advanced” measures. Level 5 Process Maturity requires an ongoing “optimizing” of all controls to meet or exceed Practice requirements, company-wide.
CMMC certification becomes increasingly challenging at each level, as companies need to integrate the new practices and update existing ones to the new level’s Process maturity goal.
How to Achieve CMMC Certification at Any Maturity Level
Achieving CMMC certification requires more than just reaching the Practice and Process maturity threshold for the appropriate level. Companies also need to verify their compliance through an external audit. Namely, companies seeking CMMC certification at any level need to work closely with a Certified Third-Party Assessor Organization (C3PAO).
All C3PAOs, in turn, are qualified by the CMMC Accreditation Body (CMMC-AB). As the CMMC is a relatively new framework, 2021 marks the initial rounds of the C3PAO approval process conducted by the CMMC-AB. RSI Security has provided expert services and compliance advisory for NIST SP 800-171 and is currently undergoing the C3PAO approval process.
That certification requires third-party verification by a C3PAO is a significant difference in compliance efforts between NIST SP 800-171 and CMMC compliance, as the former depended upon self-verification of all controls. However, since the CMMC framework is more robust and encompasses all of NIST SP 800-171 plus additional security controls, CMMC certification is more rigorous—commensurate with implementation.
Implementing the CMMC Framework’s Domains and Practices
The CMMC framework comprises 17 Domains, which house 171 Practices. Practices are distributed across the five Levels, as noted above. The distribution breaks down as follows:
- Access Control (AC) – There are 26 total AC Practices:
- Level 1 AC: four Practices
- Level 2 AC: 10 Practices
- Level 3 AC: eight Practices
- Level 4 AC: three Practices
- Level 5 AC: one Practice
- Asset Management (AM) – There are just two total AM Practices:
- Level 3 AM: one Practice
- Level 4 AM: one Practice
- Audit and Accountability (AU) – There are 14 total AU Practices:
- Level 2 AU: four Practices
- Level 3 AU: seven Practices
- Level 4 AU: two Practices
- Level 5 AU: one Practice
- Awareness and Training (AT) – There are five total AT Practices:
- Level 2 AT: two Practices
- Level 3 AT: one Practice
- Level 4 AT: two Practices
- Configuration Management (CM) – There are 11 total CM Practices:
- Level 2 CM: six Practices
- Level 3 CM: three Practices
- Level 4 CM: one Practice
- Level 5 CM: one Practice
- Identification Authentication (IA) – There are 11 total IA Practices:
- Level 1 IA: two Practices
- Level 2 IA: five Practices
- Level 3 IA: four Practices
- Incident Response (IR) – There are 13 total IR Practices:
- Level 2 IR: five Practices
- Level 3 IR: two Practices
- Level 4 IR: one Practice
- Level 5 IR: five Practices
- Maintenance (MA) – There are six MA total Practices:
- Level 2 MA: four Practices
- Level 3 MA: two Practices
- Media Protection (MP) – There are eight total MP Practices:
- Level 1 MP: one Practice
- Level 2 MP: three Practices
- Level 3 MP: four Practices
- Personnel Security (PS) – There are just two total PS Practices:
- Level 2 PS: two Practices
- Physical Protection (PE) – There are six total PE Practices:
- Level 1 PE: four Practices
- Level 2 PE: one Practice
- Level 3 PE: one Practice
- Recovery (RE) – There are four total RE Practices:
- Level 2 RE: two Practices
- Level 3 RE: one Practice
- Level 5 RE: one Practice
- Risk Management (RM) – There are 12 total RM Practices:
- Level 2 RM: three Practices
- Level 3 RM: three Practices
- Level 4 RM: four Practices
- Level 5 RM: two Practices
- Security Assessment (CA) – There are eight total CA Practices:
- Level 2 CA: three Practices
- Level 3 CA: two Practices
- Level 4 CA: three Practices
- Situational Awareness (SA) – There are just three total SA Practices:
- Level 3 SA: one Practice
- Level 4 SA: two Practices
- Systems and Communications (SC) – There are 27 total SC Practices:
- Level 1 SC: two Practices
- Level 2 SC: two Practices
- Level 3 SC: 15 Practices
- Level 4 SC: five Practices
- Level 5 SC: three Practices
- System and Information Integrity (SI) – There are 13 total SI Practices:
- Level 1 SI: four Practices
- Level 2 SI: three Practices
- Level 3 SI: three Practices
- Level 4 SI: one Practice
- Level 5 SI: two Practices
As noted above, each level’s Practices across all Domains also need to be institutionalized to the Process Maturity threshold detailed above. RSI Security can help with the entire process.
RSI Security: Professional CMMC Certification at all Levels
The CMMC is among the most robust cybersecurity frameworks any company can implement, with controls accounting for the most complex threats at its highest Levels. Therefore, any company seeking out lucrative contracts with the DoD should look into implementing the CMMC as soon as possible.
But who needs CMMC certification? Companies directly handling FCI or CUI likely need CMMC certification at Level 1 and Level 3, respectively, and they may need to get certified at higher levels in the future.
To get a head start on certification, contact RSI Security today!